eBay may have just surpassed Target for top breach so far this year, discovering two weeks ago that hackers had compromised some employee login information allowing them access to eBay’s corporate information network, containing customer information and encrypted passwords. Reports indicate that up to 145 million active customer accounts may have been compromised, including information such as DOB, home address, phone number, and email address. Even though eBay told CNET there is “no evidence that any financial information was accessed or compromised,” that personal information is more than enough to do damage, and the most important piece is the password.
The Password Reuse Epidemic and eBay
Passwords are still a fundamentally safe way to protect your data online, and many people are even aware that password reuse is dangerous, but still a high percent of web users (about 43% to 55%) continue to repurpose the same password on different sites (most users have about 25 accounts online). You can imagine then the challenges faced by large enterprise organizations when it comes to managing users and credentials. Big companies with thousands of employees and a massive IT infrastructure become easy targets, and once they are breached, a compromised account may go unnoticed for weeks or even months (eBay believes they were compromised back in February).
eBay is now asking their customers to change their passwords, and because password reuse is rampant amongst the general population, this could make eBay’s breach one of the most dangerous to date. We’ve spoken on security breaches and password reuse a number times before. The single greatest risk vector for any organization is protecting its login credentials or identities. This can include user credentials, admin credentials, and access to third-party services. All of those identities are critical to protect. Once a hacker has credentials, she can impersonate you on all the sites that use those credentials, and can do tremendous damage. This is why phishing, a type of social engineering attack designed to gain access to sensitive information by impersonating a trustworthy entity, is so popular: the gain often far outstrips the effort.
This core security issue is one that we have placed significant emphasis on at JumpCloud with Directory-as-a-Service®. eBay could have used our Linux SSH and Windows admin user management solution and protected themselves in a number of ways:
Shift to Keys Versus Username/Password
Although eBay has not disclosed whether they were compromised via username/password or via keys, it seems more likely they were breached because of their use of username/password. JumpCloud can help increase security by enabling privileged user access management via SSH keys.
Organizations often don’t enforce the use of SSH keys, because it can be difficult to enforce that standard across hundreds or thousands of servers, and because updating SSH keys on those servers can be incredibly difficult to do. JumpCloud turns a key update into a process that only requires seconds, even if you do have thousands of servers.
Where Are You Logging in from?
JumpCloud’s event data reporting on login behavior ensures that you know exactly who is logging in to your systems – eBay would have been alerted of anomalous behavior and may have caught on very quickly if the perpetrators logins looked suspicious.
Tracking login behavior across a large number of servers is challenging, to say the least. It generally involves configuring every one of those servers to send their authentication log messages to a centralized log management tool. And, once done, it’s difficult to ensure that that configuration persists across all those servers. JumpCloud’s agent-based Identity-as-a-Service platform makes it easy to deploy and maintain while also centralizing the event data.
JumpCloud provides the ability to have server administrators and users queried for a token or code before they gain access. We do this via the Google® Authenticator app running on your smartphone or tablet. In eBay’s case, the hackers would have needed to obtain the username/password AND the employee’s smartphone to break in. Possible, but much, much harder to do.
Multi-factor authentication can be very difficult to employ on an organization-wide basis, and generally requires a centralized directory services structure and an authentication appliance. This can be expensive, and worse yet, can be expensive to maintain across multiple data centers or clouds. JumpCloud makes multi-factor authentication easy to roll out to end users, and super easy to install on all your servers.
Controlling and securing user access is a fundamental tenet for JumpCloud. In fact, it’s our entire business! Our cloud-based directory service is the platform that centrally controls user management, provides hosted LDAP, WiFi authentication, multi-factor authentication, device management, and more. Our central logging and auditing data is a key part of our view on how to protect organizations. That’s why we’ve spent so much time building our user management and security features for our Directory-as-a-Service platform. Give it a try for yourself for free. Your first 10 users are free forever.